CosmicStrand “UEFI Firmware Rootkit” Malware Affects ASUS & Gigabyte’s Motherboards With Intel Chipsets, Can Completely Crash Victim Machine
The report states that CosmicStrand is a type of UEFI Firmware Rootkit, a type of malware that implants itself in the deepest corners of the OS, making them very difficult to detect and since this is a rootkit we are talking about, it will ensure that the affected computer stays within the infected state even when the OS is reinstalled or the user replaces the HDD entirely. An early variant of the CosmicStrand malware dates all the way back to 2017 which was discovered by a Chinese author but the new version leaves the PC in a more vulnerable state. According to the report, the CosmicStrand malware mostly affects ASUS & Gigabyte motherboards based on the Intel H81 chipset. The rootkit attaches itself to the firmware images of motherboards from the said company which indicates that a common vulnerability may exist that allows attackers to inject rootkit into the firmware images. It is said that victims were identified in several regions including China, Vietnam, Iran & Russia. PCs within these regions have been affected by CosmicStrand and appear to be private individuals. It is believed that the CosmicStrand malware was developed by a Chinese-speaking threat actor “by leveraging common resources shared among Chinese-speaking threat actors.” The workflow consists in setting hooks[1] in succession, allowing the malicious code to persist until after the OS has started up. The steps involved are:
The initial infected firmware bootstraps the whole chain. The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed. By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel. When that function is later called during the normal start-up procedure of the OS, the malware takes control of the execution flow one last time. It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
So far, there seems to be no workaround for the CosmicStrand vulnerability, and it’s advisable to refrain from getting an older Gigabyte and ASUS motherboard based on an older Intel H81 chipset. But this tell us that there might be even more variants of BIOS firmware-related vulnerabilities out there considering that CosmicStrand has been out in the wild for a few years now. The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?